It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security Log For Confluence - Match Username to IP Address

I need to identify the IP addresses that users are accessing my Confluence server from so that I can correctly filter them out in Apache.

JIRA already has an excellent log file which I can use for this (atlassian-jira-security.log) as detailed in 

https://confluence.atlassian.com/adminjiraserver073/logging-and-profiling-861253813.html

  • Security-related information (e.g. login, logout, session creation/destruction, security denials) is written to atlassian-jira-security.log.

e.g.

2018-07-20 09:36:11,161 http-nio-8080-exec-149 url:/rest/dev-status/1.0/issue/summary joebloggs 576x346142x1 - 10.12.22.124,221.250.140.12 /rest/dev-status/1.0/issue/summary The user 'joebloggs' has PASSED authentication.

However this log file doesn't exist for Confluence and I can't seem to find a way to generate this information. Ideally I'd like a log entry for when a user passes authentication which includes the IP address they accessed Confluence from.

Is there a way to create this information in my logs on Confluence?

2 answers

2 accepted

1 vote
Answer accepted
Zak_Laughton Atlassian Team Aug 06, 2018

Hi Dalectric,

You can log user access along with their IP address by enabling User Access Logging in Confluence. See How to Enable User Access Logging.

-Zak

Thanks, I can see I can get close to what I require, but I can't seem to return the IP address, With the default values I get

2018-08-07 10:00:15,845 INFO [localhost-startStop-1] [atlassian.confluence.util.AccessLogFilter] init AccessLogFilter initialized. Format is: <user> <url> <starting memory free (kb)> +- <difference in free mem (kb)> <query time (ms)> <remote address>
2018-08-07 10:00:25,462 INFO [http-nio-8090-exec-3] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/pages/viewpage.action 7702577-374790 1084 0:0:0:0:0:0:0:1
2018-08-07 10:00:30,744 INFO [http-nio-8090-exec-11] [atlassian.confluence.util.AccessLogFilter] doFilter - GET https://ukcov-con/login.action 7161220-397312 4636 0:0:0:0:0:0:0:1
2018-08-07 10:00:34,308 INFO [http-nio-8090-exec-8] [atlassian.confluence.util.AccessLogFilter] doFilter - POST https://ukcov-con/dologin.action 6568665-32595 807 0:0:0:0:0:0:0:1
2018-08-07 10:00:49,609 INFO [http-nio-8090-exec-4] [atlassian.confluence.util.AccessLogFilter] doFilter joebloggs GET https://ukcov-con/pages/viewpage.action 6536070+1184355 15273 0:0:0:0:0:0:0:1

Looking at the JIRA setting I see it has a specific API for handling this in 

https://docs.atlassian.com/DAC/javadoc/jira/reference/com/atlassian/jira/util/log/Log4jKit.html

And you can see this in the log file setup on JIRA

log4j.appender.securitylog.layout.ConversionPattern=%d %t %X{jira.username} %X{jira.request.id} %X{jira.request.assession.id} %X{jira.request.ipaddr} %X{jira.request.url} %m%n

There doesn't appear to be the same API for Confluence so how can I add the IP address to the output log file for Confluence?

(I'm plugging away at this so if I find a way I'll post up the answer)

Looking at the this some more it seems that my remote address is coming through as IPv6 (0:0:0:0:0:0:0:1) and not IPv4 shown in the example (127.0.0.1). Any ideas why this would be?

Adding the following line to my Java options forced it to IPv4 format

-Djava.net.preferIPv4Stack=true

However the IP address is always the Confluence server address. Possibly due to the Apache reverse proxy that's in place. Further investigation ongoing. 

An alternative is to add the following to the server.xml before the </Engine> tag, and it does what I need, but it generates a lot of entries as each element from a page creates a log entry. That means the files will grow to a very large size very quickly. 

 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="conf_access_log" 
fileDateFormat="-yyyyMMdd" suffix=".log"
pattern="%t %a %l %{X-Forwarded-For}i %{X-AUSERNAME}o &quot;%{Referer}i&quot; &quot;%r&quot; %b"
resolveHosts="false"/>
1 vote
Answer accepted

OK I've cracked it. This is all the things I needed to do.

Add the following to server.xml before </Engine> where the IP address is that of my server (logs the client's IP address instead of the Apache reverse proxy address)

 <Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="192\.168\.10\.123"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>

 In WEB-INF web.xml uncommented the following entry

 <filter-mapping>
<filter-name>AccessLogFilter</filter-name>
<url-pattern>/display/*</url-pattern>
</filter-mapping>

 In WEB-INF/classes log4j.properties uncomment and modify

log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO, accesslog
log4j.additivity.com.atlassian.confluence.util.AccessLogFilter=false

and added the following near the start of the file under the other appender declarations. The ConversionPattern is customised for my needs from the standard declaration.

log4j.appender.accesslog=org.apache.log4j.RollingFileAppender
log4j.appender.accesslog.Threshold=DEBUG
log4j.appender.accesslog.File=${catalina.home}/logs/atlassian-confluence-access.log
log4j.appender.accesslog.MaxFileSize=20480KB
log4j.appender.accesslog.MaxBackupIndex=5
log4j.appender.accesslog.layout=com.atlassian.confluence.util.PatternLayoutWithStackTrace
log4j.appender.accesslog.layout.ConversionPattern=%d %p [%t] %m%n

In the Windows service added the following line (forces IPv4 address as I was getting 0:0:0:0:0:0:1 IPv6 address)

-Djava.net.preferIPv4Stack=true

And now I have a new log file which gives date and time of access along with the username and client IP address

2018-08-15 11:11:23,020 INFO [http-nio-8090-exec-4] joebloggs GET https://con-testsvr/display/CT/task+list 5837972-291988 2587 192.100.22.102

 Thanks to @Zak_Laughton for pointing me in the right direction

Changing the url-pattern to only record the index.action which happens after a user logs in has reduced the size of the log file

<filter-mapping>
<filter-name>AccessLogFilter</filter-name>
<url-pattern>/index.action</url-pattern>
</filter-mapping>

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What project did you transition or start on Confluence with the shift to remote work?

It’s been great to hear from fellow users over the last few weeks about the best tips and fun moments you’ve had working on Confluence since the transition to working remote. I’d love to keep the c...

109 views 3 7
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you